Closed benja-wu closed 2 years ago
My suggestion is to refer to other mesh products. No matter Istio or OSM, an extra component certificate-manager (Citadel in the istio, Valt in osm) be introduced, but I don't see it in your design. What do you think about it? A certificate-manager is at least responsible for providing a common trust root to allow sidecar to validate and authenticate each other.
My suggestion is to refer to other mesh products. No matter Istio or OSM, an extra component certificate-manager (Citadel in the istio, Valt in osm) be introduced, but I don't see it in your design. What do you think about it? A certificate-manager is at least responsible for providing a common trust root to allow sidecar to validate and authenticate each other.
The name of model
and refreshInterval
is too general for mTLS. Please make them specific such as securityLevel
and certRefreshInterval
, or move them under section security
.
And do we support both automatically generating certs by the control plane(only refresh this by control plane), and manually config from users?
@xxx7xxxx
Valt
. So I am working on figuring out the OSM's design. We should also support outer certs providers here. Let me update this design later. Close after merged.
Background
Requirements
permissive
andstrict
.Design
MeshController Spec
Adding a certificates structure for every mesh service, it contains the HTTP server's cert and key for Ingress/Egress
CertManager
andCertProvider
modules in MeshMaster.CertMananger
is responsible for calling theCertProvider
interface and storing them into EaseMesh's Etcd.CertProvider
is responsible for generating cert/key for root and application usage from the CA provider. Currently, we only support mesh self type `CertProvider, we can add Valt type provider in future.Related modification
tls.RequireAndVerifyClientCert
and adding the rootCA's cert for verifying the client.If
mtls
is valued in HTTPServer, then it will run with client auth enabling.mtls
configuration section, if it's not empty, the proxy will use them to value HTTPClient's TLS config.